Twitter Off to a Rough 2009

You might be familiar with phishing attacks, those messages sent by criminals that look like they’re from a bank or Nigerian prince. But what about Twishing?

Rick Sanchez is not really on crack

The term may enter the tech lexicon this week, thanks to an attack targeting the Web site Twitter, which runs a popular service that lets people share short updates about what they’re doing. (Blame Brian Krebs of the Washington Post if it sticks.) Over the weekend, cyber baddies sent phishing messages via Twitter’s service to other account holders. The message directed people to a Web site that looked like Twitter’s home page, but was really operated by the bad buys. As people logged in to the fake Twitter site, the bad guys captured their user names and passwords. Twitter warned account holders Saturday about the scam in a post on its blog, and advised those concerned to change their passwords.

Why would the bad guys want login information for a free service that doesn’t capture much personal information about its customers? Because many people have the same user name and password for everything, speculates Graham Cluley, a consultant at tech-security company Sophos. Also, the bad guys could impersonate some of the people whose accounts they compromised to trick their friends into disclosing more valuable information.

Or they could just try to embarrass people. On Monday, Twitter accounts belonging to pop star Britney Spears, Fox News, and president elect Barack Obama, among others were, um, updated, with messages not sent by the account holder. Fox’s “update” announced that Bill O’Reilly was gay; Spears’s was too obscene to paraphrase. A tweet (as the messages are known) from CNN anchor Rick Sanchez said that he was “high on crack.”

In its blog, Twitter said that fake updates—which have since been removed—were sent from 33 different celebrity accounts, and that the cause was a security problem unrelated to the phishing attack.